Malicious Codes in Depth
{LANG_NAVORIGIN} Malicious Code
Mohammad Heidari
11/29/2004
Viruses
defined - [From the obvious analogy with biological viruses]. A cracker program that
searches out other programs and 'infects' them by embedding a copy of itself in them so
that they become Trojan horses. When these programs are executed, the embedded virus is
executed too, thus propagating the ' infection ' this normally happens invisibly to the
user. Unlike a worm, a virus can not infect other computers without assistance. It is
propagated by vectors such as humans trading programs with their friends the virus may do
nothing but propagate itself and then allow the program to run normally. Usually,
however, after propagating silently for a while, it starts doing things like writing cute
messages on the terminal or playing strange tricks with the display. Many nasty viruses,
written by particularly perversely minded crackers, do irreversible. Damage, like nuking
the entire user’s files… [Jargon Dictionary]
A virus is a program that can ' infect ' other programs by modifying them , the
modification include a copy of the virus program , which can then go on to infect other
programs . Therefore the key characteristic of virus is the ability to self replicate by
modifying a normal program file with a copy of itself. On Nov, 1983 Fred Cohen ("father
of computer virus") thought of the idea of computer viruses as a graduate student at USC.
Cohen wrote the first documented virus and demonstrated on the USC campus network.
“Virus” named after biological virus the following table shows details:
| Biological Virus |
Computer Virus |
| Consist of DNA or RNA strand surrounded by protein shell to bond to host cell |
Consist of set of instructions stored in host program |
| No life outside of host cell |
Active only when host program is executed |
| Replicates by taking over host’s metabolic machinery with it’s own DNA/RNA |
Replicates when host program is executed or host file is opened |
| Copies infect other cells |
Copies infect (attach to) other host program |
A virus can do anything that other programs do. The only difference is that it attaches
itself to another program and executes secretly when the host program is run. Once a
virus is executing, it can perform any function such as erasing files and programs.
During its lifetime a typical virus goes through the following four phases:
- Dormant phase: The virus is idle the virus will eventually be activated by some
event, such as a date. The presence of another program or file, or the capacity of the
disk exceeding some limit, not all viruses have this stage.
- Propagation phase: The virus places an identical copy of itself into other programs
or into certain system areas on the disk. Each infected program will now contain a clone
of the virus, which will itself enter a propagation phase.
- Triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a variety of
system events, including a count of the number of times that this copy of the virus has
made copies of itself.
- Execution phase: The function is performed. The function may be harmless, such as a
message on the screen, or damaging, such as the destruction of programs and data files.
Virus Anatomy
Virus Structure has four ports
Mark can prevent re-infection attempts
Infection Mechanism causes spread to other files
Triggers are conditions for delivering payload
Payload is the possible damage to infected computer
Figure 3 Anatomy of Virus
| Mark (optional) |
| Infection Mechanism |
| Trigger (optional) |
| Payload (optional) |
Memory – resident virus: lodges in main memory as part of a resident system
program. From that point on, virus infects every program that executes.
Program file virus: Infects programs such as Exe/Com/Sys – files. The following
figures show details:
Figure 5 Program File Viruses
Polymorphic virus: creates copies during replication that are functionally
equivalents but have distinctly different bit patterns. In this case the “signature “of
the virus will vary with each copy. To achieve this variation, the virus may randomly
insert superfluous instructions or interchange the order of independent in-generally
called a mutation engine, creates a random encryption key to encrypt the reminder of the
virus. The key is stored with the virus, and the mutation engine itself is altered. When
an infected program is invoked, the virus uses the stored random key to decrypt the
virus, when the virus replicates, a different random key is selected.
Boot Sector Virus: Boot sector viruses infect the system area of the disk that is
read when the disk is initially accessed or booted. This area can include the master boot
record the operation system’s boot sector or both. A virus infecting these areas
typically takes the system instructions it finds and moves them to some other area on the
disk. The virus is then free to place its own code in the boot record. When the system
initializes, the virus loads into memory and simply points to the new location for the
system instructions. The system then boots in a normal fashion except the virus is now
resident in memory. A boot sector virus can replicate without your executing any programs
from an infected disk. Simply accessing the disk is sufficient. For example, most PCs do
a systems check on boot up that verifies the operation of the floppy drive even this
verification process is sufficient to activate a boot sector virus if one exist on a
floppy left in the machine and the hard drive can also become infected.
Stealth Virus: A format virus explicitly designed to hide itself from detection by
antivirus software. When the virus is loaded into memory, it monitors system calls to
files and disk sectors, when a call is trapped the, virus modifies the information
returned to the process making the call so that it sees the original uninfected
information. This aids the virus in avoiding detection. For example many boot sector
viruses contain stealth ability. If the infected disk is booted, programs such as FDISK
report a normal boot record. The virus is intercepting sector calls from FDISK and
returning the original boot sector information. If you boot the system from a clean
floppy disk however, the drive is inaccessible. If you run FDISK again, the program
reports a corrupted boot sector on the drive. To use stealth, however, the virus must be
actively running in memory, which means that the stealth portion of the virus is
vulnerable to detect by antivirus.
Macro Virus: it is set of macro commands, specific to an application, which
automatically executes in an unsolicited manner and spread to that application’s
documents. According to the national computer security agency (www.ncsa.com), macro
viruses now make up two – thirds of all computer viruses. Macro viruses are particularly
threatening for a number of reasons:
- A macro virus is platform independent. Virtually all of the macro viruses infect
Microsoft word documents. Any hardware platform and operating system that supports word
can be infected.
- Macro viruses infect documents, not executable portions of code. Most of the
information introduced on to a computer system is in the form of a document rather than a
program.
- Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in word and other office applications
such as Microsoft Excel, namely the macro. In essence, a macro is an executable program
embedded in a word processing document or other type of file. What makes it possible to
create a macro virus is the auto executing macro this is a macro that is automatically
invoked, without explicit user input. Common auto execute events are opening a file,
closing a file and starting an application. Once a macro is running, it can copy itself
to other documents, delete files and cause other sorts of damage to the users In
Microsoft word. There are three types of auto executing macros:
- Auto execute: If a macro named Auto exec is in the "Normal. Dot" template or in a
global template stored in word’s start up directory, it is executed whenever word is
started
- Auto macro: An auto macro executes when a defined event occurs, such as opening or
closing a document
- Command macro: If a macro in a global macro file or a macro attached to a document
has the name of an existing word command, it is executed whenever the user invoked that
command.
A common technique for spreading a macro virus is as follows:
An auto macro or command macro is attached to a word document that is introduced into a
system by e-mail or disk transfer. After the document is opened, the macro executes. The
macro copies itself to the global macro file. When the next session of word opens, the
infected global macro is active. When this macro executes, it can replicates itself and
cause damage.
Email Virus: A more recent development in malicious software is the e-mail virus.
The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft word
macro embedded in an attachment. If the recipient opens the e-mail attachment, the word
macro is activated then:
- The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail
package
- The virus does local damage
Worms
Can one IP packet cripple the Internet within 10 minutes?
On January 25Th 2003 “SQL Sapphire Slammer “worm causes more than 1.2 billion US dollars
damage, 70% South Korea’s network paralyzed, 300,000 ISP subscribers in Portugal knocked
offline, 13,000 Bank of America machines shut down, Continental Airline’s ticketing
system crippled.
Figure 6 SQL Sapphire / Slammer Worm
Worm (n)
[From ‘tape worm’ in John Brunner’s novel “The Shockwave Rider “… ], A program that
propagates itself over a network, reproducing itself as it goes … [Jargon
Dictionary]
Worm is also self-replicating but a stand-alone program that exploits security holes to
compromise other computers and spread copies of itself through the network. Unlike
viruses, worms do not need to parasitically attach to other programs. Because of the
recursive structure of this propagation, the spread rate of worms is very fast and poses
a big threat on the Internet infrastructure as a whole.
Worm Anatomy
Mark: structurally similar to viruses, except a stand-alone program instead of
program fragment
Infection Mechanism: searches for weakly protected computers through a network
(i.e., worms are network based)
Triggers: are Conditions for delivering payload
Payload: might drop a Trojan horse or parasitically infect files, so worms can
have Trojan horse or virus characteristics
Figure 7 Worms Anatomy
| Mark (optional) |
| Infection Mechanism |
| Trigger (optional) |
| Payload (optional) |
E-Mail Link
Your IP address will be sent with this e-mail
